Security Posture Best Practices

Glossary of Trust

  • Updated
ADFS SSO Active Directory Federation Services (ADFS) is a Single Sign-On (SSO) solution created by Microsoft. As a Windows Server operating system component, it provides users with authenticated access to applications.
Apple SSO Sign-in with Apple is a Single Sign-On (SSO) solution created by Apple. It gives users the ability to sign into applications with their Apple ID.
Audit Logs Describes an organization's ability to document activities impacting operations, procedures, or events within its software.
Auto Scaling A cloud computing pattern/technique for dynamically allocating and deallocating computing resources such as server capacities or virtual machines based on demand.
Bug Bounty A policy surrounding the potential for individuals to receive recognition or compensation for discovering and reporting bugs or security vulnerabilities with a specific set of rules and procedures. 
Business Continuity Plan A business continuity plan (BCP) is a document that outlines how a business will continue operating during an unplanned service disruption. It's more comprehensive than a disaster recovery plan and contains contingencies for business processes, assets, human resources, and business partners – every aspect of the business that might be affected.
C5 The Cloud Computing Compliance Criteria Catalogue also referred to as C5:2020, was developed by the German Federal Office for Information Security (BSI) as a way to assess the information security of cloud services that leverage internationally recognized security standards like ISO/IEC 27001 to set a consistent audit baseline that helps establish a framework of trust between cloud providers and their customers.
C5 - Data Center Indicates that a processor's data storage solution meets the minimum standards of the C5 framework.
C5 Attestation A report issued by an independent third party verifies an organization's compliance with C5 requirements.
CCPA The California Consumer Privacy Act is a state statute intended to enhance privacy rights and consumer protections for California residents in the United States.
Confidentiality Agreements Indicates that an organization has procedures and policies relating to NDAs and employee confidentiality agreements. 
COPPA The Children's Online Privacy Protection Act (COPPA) is a policy on collecting data of users under the age of 13, relating to the laws surrounding marketing to underage individuals. 
CSA C-STAR Assessment A robust third-party independent assessment of the security of a cloud service provider for the Greater China market that harmonizes CSA best practices with Chinese national standards.
CSA GDPR Code of Conduct Certification Certification based on a third-party evaluation of the compliance of a cloud services provider's services to the GDPR, designed to offer both a compliance tool for GDPR compliance and transparency guidelines regarding the level of data protection provided by the cloud service provider.
CSA GDPR Code of Conduct Self-Assessment A self-assessment that a cloud service provider can complete to evaluate the compliance of its services to the GDPR. After the self-assessment is published on the Registry, it will remain valid for one year. The Self-Assessment requires the publication of a (1) Code of Conduct Statement of Adherence and (2) the PLA Code of Practice Template and must be updated when a change is made to company policies or practices that affect the assessed service.
CSA STAR The Cloud Security Alliance's Security, Trust & Assurance Registry Certification is a rigorous third-party independent assessment of the security of a cloud service provider. The STAR Certification is based on achieving ISO/IEC 27001 and a specified set of criteria detailed in the Cloud Controls Matrix (CCM).
CSA STAR - Level 1 A free way for any CSP to provide their customers with the security assurances that a STAR certification offers. To earn a Level 1 certification, cloud service providers must self-assess their security practices and controls against the CSA's best practices (using either the Consensus Assessments Initiative Questionnaire [CAIQ] or the Cloud Controls Matrix [CCM]) and send their assessment to the CSA for verification.
CSA STAR - Level 1 Continuous A continuously audited version of the CSA STAR - Level 1 certification. Continuous auditing focuses on testing for the occurrence of a risk and the ongoing effectiveness of a control.
CSA STAR - Level 2 It helps cloud service providers offer more transparency and assurance than Level 1 in two ways. First, it requires an assessment of a CSP's security controls to be completed by a CSA-certified third party (a list of which the CSA maintains on its website). Second, it's designed to enhance the security controls of other standards and certifications that a CSP might follow (industry or geographically specific to their business) for the cloud.
CSA STAR - Level 2 Continuous A continuously audited version of the CSA STAR - Level 2 certification. Continuous auditing focuses on testing for the occurrence of a risk and the ongoing effectiveness of a control.
CSA STAR - Level 3 Where STAR Levels 1 and 2 offer a continuous option to increase transparency and assurance through periodic self-assessment, CSA STAR Level 3 takes "continuous" one step further by automating validating security control effectiveness in real time.
CSA STAR Attestation It provides guidelines for CPAs to conduct SOC 2 engagements based on criteria from the AICPA and the CSA Cloud Controls Matrix (CCM). Attestation listings expire after one year unless they are updated.
CSA STAR CAIQ The Consensus Assessments Initiative Questionnaire (CAIQ) is a survey provided by the Cloud Security Alliance (CSA) for cloud consumers and auditors to assess the security capabilities of a cloud service provider. The CAIQ was developed to create commonly accepted industry standards to document the security controls in infrastructure-as-a-service, platform-as-a-service, and software-as-a-service applications.
CSA STAR Certification Based on a third-party audit of a cloud service provider's security. It leverages the requirements of the ISO/IEC 27001:2013 standard and the CSA Cloud Controls Matrix. Certificates follow the ISO/IEC 27001 protocol and expire after three years unless updated.
CSA STAR Self-Assessment Used to document the security controls provided by cloud computing offerings and helps users assess the security of cloud providers. On an annual basis, cloud providers complete a Consensus Assessments Initiative Questionnaire (CAIQ) to document their compliance with the Cloud Controls Matrix (CCM). This information is made publicly available to promote industry transparency and provide visibility into security practices.
Data Backups Indicates that an organization has automated and recurring backup procedures designed to protect against data loss.
Data Breach Notification Indicates that an organization has specific policies related to the notification of users following unauthorized access to data. 
Data Encrypted At-Rest Protects stored data. If an attacker obtains a hard drive with encrypted data but not the encryption keys, then the attacker must surpass the encryption to read the data.
Data Encrypted In-Transit Protects data as it moves from one location to another, as when you send an email, browse the Internet, or upload/download documents to and from the cloud.
Data Processing Addendum (DPA) A contract between data controllers and data processors or data processors and subprocessors that is intended to ensure that each entity in the partnership is operating in compliance with the GDPR or other applicable privacy laws to protect the interests of both parties.
Data Protection Officer (DPO) A designated role in an organization for ensuring compliance regarding privacy laws and regulations on personal data: under certain conditions, the GDPR requires organizations to appoint a DPO.
Data Protection Officer (DPO) Email The email address to reach a Data Protection Officer.
Data Redundancy Indicates that the same data is stored in two or more separate places.
Data Removal Requests The GDPR introduced the right of individuals to have their data erased upon request. Since its introduction, this concept has been adopted by almost all other new privacy regulations. Also known as "the right to be forgotten," the right to erasure requires that a company remove a customer's data within one month of a verbal or written request. Data Removal Requests mean that a company has implemented a process for customers to make these requests and that the company honors them in compliance with the GDPR and other regulations.
Data Retention Policy A policy concerning what data should be stored or archived, where that should happen, and how long. Once the retention period for a particular data set expires, it can be deleted or moved as historical data to secondary or tertiary storage, depending on the requirements.
Denial of Service (DoS) Protection Measures taken to protect against Denial of Service attacks, wherein attackers flood the target host/network with incoming traffic until the target cannot respond or crashes.
Disaster Recovery Plan A disaster recovery plan (DPR) is a document that contains outlines a company's response to unplanned incidents such as natural disasters, power outages, cyber-attacks, and any other disruptive events. The DPR includes strategies for minimizing the effects of a disaster so that the company can continue to operate or quickly resume critical operations.
Dynamic Application Security Testing (DAST) A security testing method that emphasizes attacking an application from the outside to find security vulnerabilities.
Employee Background Checks Employers run background checks to avoid hiring someone who may threaten the workplace or become a liability to the employer. An employment background check can include but is not limited to, a person's work history, education, credit history, motor vehicle reports (MVRs), criminal record, medical history, use of social media, and drug screening.
Employee Security Training A strategy used by IT and security professionals to prevent and mitigate user risk. These programs are designed to help users and employees understand their role in helping combat information security breaches.
Employee Workstations Automatically Locked The policy of automatically locking employee devices after a period of inactivity and requiring a password to unlock it. 
Employee Workstations Encrypted The policy of encrypting employee hard drives prevents unauthorized access to data stored on their devices.
Environmental Safeguards Indicates that a company utilizes environmental and physical controls to protect physical and digital assets from theft and damage.
Environmental Safeguards - Data Center Indicates a processor's data center implements environmental safeguards.
ePrivacy An EU directive focused on protecting the confidentiality of electronic communication between parties. This includes non-personal information exchanged.
EU-US Privacy Shield A framework for regulating transatlantic exchanges of personal data for commercial purposes between the European Union and the United States.
Facebook SSO A Single Sign-On (SSO) solution created by Facebook. It gives users the ability to sign into applications with their Facebook credentials.
FedRAMP The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that promotes the adoption of secure cloud services across the United States federal government by providing a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP empowers agencies to use modern cloud technologies, emphasizing the security and protection of federal information.
FedRAMP - High High (Impact) data is usually in Law Enforcement and Emergency Services systems, Financial systems, Health systems, and any other system where the loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
FedRAMP - Low Low (Impact) is most appropriate for cloud security offerings where losing confidentiality, integrity, and availability would result in limited adverse effects on an agency's operations, assets, or individuals.
FedRAMP - Moderate Moderate (Impact) is most appropriate for cloud security offerings where losing confidentiality, integrity, and availability would seriously affect an agency's operations, assets, or individuals. Serious adverse effects could include significant operational damage to agency assets, financial loss, or individual harm that is not loss of life or physical.
FedRAMP Authorization Report A report is comprised of two parts: first, a full security assessment which is an independent audit focused on several parameters, and second, an agency authorization process is undergone.
FedRAMP Authorized Indicates an organization is compliant with the FedRAMP set of security standards.
FIRMA The Federal Information Security Management Act (FISMA) of 2002 is a framework of security standards to protect government information that third-party vendors, contractors, and partners handle.
FISMA - Data Center Indicates that a processor's data storage solution is protected by a security infrastructure that meets the standards of the FISMA framework.
FISMA - High A compliance level reserved for third parties handling the highest-impact data or that which, if compromised, would have severe or catastrophic implications.
FISMA - High - Data Center Indicates that a processor's data storage solution is protected by a security infrastructure that meets the FISMA - Low certification standards.
FISMA - Low A compliance level reserved for third parties handling information that, if compromised, would have moderately severe implications.
FISMA - Low - Data Center Indicates that a processor's data storage solution is protected by a security infrastructure that meets the FISMA - Low certification standards.
FISMA - Moderate A compliance level reserved for third parties handling information that, if compromised, would have moderately severe implications.
FISMA - Moderate - Data Center Indicates that a processor's data storage solution is protected by a security infrastructure that meets the FISMA - Moderate certification standards.
GDPR The General Data Protection Regulation is a regulation in EU law on data protection and privacy in the European Union and the European Economic Area. It also addresses the transfer of personal data outside the European Union and the European Economic Area (EEA).
GitHub SSO A Single Sign-On (SSO) solution created by GitHub. It gives users the ability to sign into applications with their GitHub credentials.
Google SSO A Single Sign-On (SSO) solution created by Google. It gives users the ability to sign into applications with their Google credentials.
HIPAA The Health Insurance Portability and Accountability Act (HIPAA) of 1996 was designed to protect patient personally identifiable information (PII) and health information from nonconsensual disclosure.
HITECH The Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009 was enacted to promote and expand the adoption of electronic health records. 
Incident Response Plan (IRP) A set of instructions to help employees detect, respond to, and recover from network security incidents in areas like cybercrime, data loss, and service outages.
Infrastructure Redundancy Adding additional instances of network devices and lines of communication to help ensure network availability and decrease the risk of failure along critical data paths.
Inherited Subprocessors A Subprocessor is a third-party data processor who has or potentially will have access to or process service and potentially personal data. Inherited subprocessors are the subprocessors of an organization's subprocessors and are essential to note since those services may also receive the organization's customer data.
IP-Based Access Control A control that restricts access to applications or resources based on IP address.
ISO 22301 An international standard that provides a robust framework for developing effective incident response and recovery procedures to ensure your organization can recover quickly during a disruption.
ISO 27001 An international standard on how to manage information security. The bar was initially published jointly by the International Organization for Standardization and the International Electrotechnical Commission in 2005 and revised in 2013.
ISO 27001 Certificate The certificate was obtained from ISO 27001 compliance.
ISO 27017 A security standard was developed for cloud service providers and users to make a safer cloud-based environment and reduce the risk of security problems.
ISO 27017 Certificate The certificate was obtained from ISO 27001 compliance.
ISO 27018 The first international standard was created specifically for data privacy in cloud computing. Its main objective, according to the International Organization for Standardization (ISO), is to establish "commonly accepted control objectives, controls, and guidelines for implementing measures to protect Personally Identifiable Information (PII)."
ISO 27018 Certificate The certificate was obtained from ISO 27018 compliance.
ISO 27032 An international standard that guides for improving the state of Cybersecurity, drawing out the unique aspects of that activity and its dependencies on other security domains, in particular: information security, network security, internet security, and critical information infrastructure protection (CIIP).
ISO 27032 Certificate The certificate was obtained from ISO 27032 compliance.
ISO 27701 A data privacy extension to ISO/IEC 27001 & 27002. It provides a framework for organizations to implement a system to support compliance with the GDPR, CCPA, and other data privacy compliance requirements.
ISO 27701 Certificate The certificate was obtained from ISO 27701 compliance. 
LDAP SSO Lightweight Directory Access Protocol (LDAP) Single Sign-On (SSO) is a software protocol for authenticating users on an AD network, and it enables anyone to locate resources on the Internet or a corporate intranet. LDAP SSO also lets system admins set permissions to control access to the LDAP database, ensuring that data stays private.
Limited Employee Access (Principle of Least Privilege) The idea is that any user, program, or process should only have the minimum privileges necessary to perform its function.
LinkedIn SSO A Single Sign-On (SSO) solution created by LinkedIn. It gives users the ability to sign into applications with their LinkedIn credentials.
Microsoft SSO A Single Sign-On (SSO) solution created by Microsoft. It gives users the ability to sign into applications with their Microsoft credentials.
Multi-Factor Authentication An electronic authentication method in which a computer user is granted access to a website or application only after successfully presenting two or more pieces of evidence to an authentication mechanism: knowledge, possession, and inherence.
Multi-Tenant Architecture An architecture allows a single software application instance to serve multiple customers.
Passwords Encrypted The practice of translating login credentials into a secure format for storage, such that even if a malicious party gained access to them, they would be unable to use them to obtain login access.
PCI-DSS The Payment Card Industry Data Security Standard—an information security standard that applies to companies that store and handle credit card information from the most common providers and schemes.
PCI-DSS - Data Center This signifies that the processor's data storage satisfies the Payment Card Industry Data Security Standard resulting from collaboration between the five largest credit card brands: Visa, MasterCard, American Express, Discover, and JCB.
PCI-DSS - Level 1 The Payment Card Industry, Data Security Standard, applies to merchants handling over 6 million credit card transactions annually.
PCI-DSS - Level 1 - Data Center This signifies that the processor's data storage satisfies Level 1 of the Payment Card Industry Data Security Standard.
PCI-DSS - Level 2 The Payment Card Industry, Data Security Standard, applies to merchants that handle between 1 and 6 million credit card transactions annually.
PCI-DSS - Level 2 - Data Center This signifies that the processor's data storage satisfies Level 2 of the Payment Card Industry Data Security Standard.
PCI-DSS - Level 3 The Payment Card Industry, Data Security Standard, applies to merchants that handle between 20,000 and 1 million credit card transactions annually.
PCI-DSS - Level 3 - Data Center This signifies that the processor's data storage satisfies Level 3 of the Payment Card Industry Data Security Standard.
PCI-DSS - Level 4 The Payment Card Industry, Data Security Standard, applies to merchants handling less than 20,000 credit card transactions annually.
PCI-DSS - Level 4 - Data Center This signifies that the processor's data storage satisfies Level 4 of the Payment Card Industry Data Security Standard.
PEAR The Privacy and Electronic Communications Regulations, a law in the United Kingdom, restricts sending direct marketing materials electronically. One fundamental tenet of the PECR is requiring companies to obtain opt-in consent from parties before sending them explicit marketing materials.
Penetration Testing Also called a pen test, penetration testing is a simulated cyberattack on a system performed to test the system's security.
Personnel Screening The practice of analyzing the background of job applicants to ensure their credibility and fit for a role. This could include but is not limited to credit history, criminal records, and previous employment/education records.
Physical Access Control A system ensures that only authorized individuals can access a company's premises. This often includes using electronic credentials to give specific individuals access to certain physical spaces and systems.
Physical Access Control - Data Center This signifies that a processor's data storage employs a functioning Physical Access Control System.
POPIA The Protection of Personal Information Act is a regulation in South African law on data protection and privacy in South Africa. It also addresses the transfer of personal data outside of South Africa.
Primary Subprocessors A Subprocessor is a third-party data processor who has or potentially will have access to or process service and potentially personal data.
Privacy Policy A document that explains how a website or organization will collect, store, protect, and utilize personal information provided by its users.
Quality Assurance Testing Quality Assurance (QA) testing ensures that an organization delivers the best products or services possible.
Responsible Disclosure A vulnerability disclosure model in which a vulnerability or an issue is disclosed only after a period that allows the exposure or problem to be patched or mended.
Role-Based Access Control (RBAC) The ability to restrict access based on a person's position within an organization. 
Salesforce SSO A single sign-on (SSO) solution created by Salesforce. It gives users the ability to sign into applications with their Salesforce credentials.
SAML SSO Security assertion markup language (SAML) single sign-on (SSO) transfers a user's identity from an Identity Provider to a service provider through signed documents. SAML is the underlying protocol that makes web-based SSO possible.
Sarbanes-Oxley (SOX) - Data Center The definition is coming soon! 
SCIM User Management The System for Cross-Domain user management is an open standard providing a schematic for managing user-identity information. It can automatically provision/de-provision accounts for users in external systems such as G Suite or Office 365.
Secure Remote Network Access Any security policy or technology allows employees to connect to a company's internal network and prevents unauthorized access.
Self-Serve User Management The definition is coming soon! 
Service Monitoring A system or set of tools is used to check servers' health in a network.
Single-Tenant Architecture A single instance of the software and supporting infrastructure serves a single customer. With a single tenancy, each customer has an independent database and model of the software.
SOC 1 SOC 1 is a set of compliance requirements that applies to companies' internal control over financial reporting. An audit against these controls and the resulting report provides written documentation of an organization's internal controls potentially relevant to audits of their customers' financial statements.
SOC 1 - Data Center This signifies that a processor's data storage has undergone and passed a SOC 1 audit and obtained the corresponding report.
SOC 1 Type I A SOC 1 Type I audit and corresponding report focus on describing a service organization's control processes and the suitability of how those controls are designed to achieve the SOC 1 objectives as of specific dates.
SOC 1 Type I - Data Center Signifies that a processor's data storage has undergone and passed a SOC 1 Type I audit and obtained the corresponding report.
SOC 1 Type I Report A document detailing a company's SOC 1 Type I audit by an independent entity.
SOC 1 Type II A SOC 1 Type II audit and corresponding report contain all of the content of a SOC 1 Type I report, plus an evaluation of the effectiveness of the SOC 1 control processes throughout a specific period.
SOC 1 Type II - Data Center Signifies that a processor's data storage has undergone and passed a SOC 1 Type II audit and obtained the corresponding report.
SOC 1 Type II Report A document detailing a company's SOC 1 Type II audit by an independent entity.
SOC 2 SOC 2 is a set of compliance requirements for companies handling cloud-based customer data related to operations and compliance. An audit against these controls and the resulting report provides written documentation of how they operate and store consumer data in the cloud based on the criteria of one or all five of the AICPA's Trust Principles (availability, security, processing integrity, confidentiality, and privacy), and the methods by which these criteria were tested.
SOC 2 - Data Center This signifies that a processor's data storage has undergone and passed a SOC 2 audit and obtained the corresponding report.
SOC 2 Type I A certification describing a service organization's control processes and the suitability of how those controls are designed to achieve the SOC 2 objectives as of specific dates.
SOC 2 Type I - Data Center Signifies that a processor's data storage has undergone and passed a SOC 2 Type I audit and obtained the corresponding report.
SOC 2 Type I Report A document detailing a company's SOC 2 Type I audit by an independent entity.
SOC 2 Type II A certification describing how a product safeguards customer data and how effective those measures are.
SOC 2 Type II - Data Center Signifies that a processor's data storage has undergone and passed a SOC 2 Type II audit and obtained the corresponding report.
SOC 2 Type II Report A document detailing a company's SOC 2 Type II audit by an independent entity.
SOC 3 Service Organization Controls 3 is a standard outlining a service organization's internal controls for the AICPA's five Trust Principles. It contains the same information and standards as SOC 2 but targets a general audience.
SOC 3 - Data Center This signifies that a processor's data storage solution has a SOC 3 report.
SOC 3 Report A report that contains the same information as a SOC 2 report but is intended for a general audience and therefore needs to be more detailed.
Static Application Security Testing (SAST) A testing methodology that emphasizes analyzing source code to find security vulnerabilities that make applications susceptible to attack. These scans are done on an application before the code is compiled.
Status Page A webpage that displays information about outages and scheduled maintenance.
Subprocessor A third-party data processor who has or potentially will have access to or process service and potentially personal data.
Swiss-US Privacy Shield A framework for regulating transatlantic exchanges of personal data for commercial purposes between the Swiss Administration and the United States.
TRUSTe An Enterprise Privacy & Data Governance Practices Assessment Criteria. 
Twitter SSO A Single Sign-On (SSO) solution created by Twitter. It gives users the ability to sign into applications with their Twitter credentials.
Vulnerability Scanning Measures are taken to use a computer program that assesses computers, servers, networks, or applications for known security weaknesses.
Zero-Trust Architecture A security framework requires all users, whether in or outside the organization's network, to be authenticated, authorized, and continuously validated for security configuration and posture before being granted or accessing applications and data.